b'AAAAAAAAAAAAAAA\n\n\n\n\n                  U.S. Department of Energy\n                  Office of Inspector General\n                  Office of Audit Services\n\n\n\n\n  Audit Report\n\n Certification and Accreditation of the\n Department\'s National Security\n Information Systems\n\n\n\n\n DOE/IG-0800                                    August 2008\n\x0c                                Department of Energy\n                                     Washington, DC 20585\n                                     August 1 1 ,      2008\n\n\n\nMEMORANDUM FOR\n\nFROM:\n                          Inspector General\n\nSIIHJECT:                 INFORMATION: Audit Report on "Certification and\n                          Accreditation of the Ilepartment\'s National Security Information\n                          Systems"\n\nBACKGROUND\n\nThe Department of Energy and its facility contractors maintain numerous national\nsecurity information systems that process and store classified data needed to accomplish\nnational security goals. Recognizing and addressing the risks associated with operating\nsuch systems. the Department has adopted a certification and accreditation (C&A)\nprocess designed to ensure that these systems are secure prior to beginning operation and\nthat they remain so throughout their lifecycle. The C&A process includes formal steps to\nrecognize and address risks, determine whether system security controls are in place and\noperating ef\'fectively, and ensure that changes to the system are adequately tested and\napproved.\n\nPrior Office of Inspector General reviews have identified concerns with the Department\'s\nC&A process. For example, our report on C,\'erf~ficufion   rind Accredilution c?f\'Unclu.s.s~fjed\nInfOrm~llion,5\'j:stem.s (DOEJIG-0752, January 2007) found that many of the Department\'s\nunclassified systems were not properly certified and accredited for operation due to\ninadequate policies and monitoring. In addition, our Special Inquiry on Selected C,\'ontrols\n                 Infi)rmution u! the Los Alumos Nutioncll Luhoru!ory (OAS-SR-07-0 1 .\nover C1lu.s,s~fied\nNovember 2006) disclosed that system security plans were incomplete and separation of\nduties over systems processing classified information had not been implemented.\nBecause of the importance of protecting classified information, we initiated this audit at\nsix of the Department\'s major facilities to determine whether national security\ninformation systems had been appropriately certified and accredited.\n\n\n\nThe Department had taken steps to improve security over its national security information\nsystems. Yet. we found that additional actions as part of the C&A process are needed to\nreduce the risk of compromise to these systems. In particular, we found that:\n\n         At five of the six sites included in our audit, risks such as a lack of separation of\n         duties and the presence of unclassified and classified systems operating in the\n         same environment, had not been addressed in system security plans;\n\x0c     a   In many instances, security plans, or changes to systems, were not appropriately\n         approved by Department officials. Further, in certain cases, plans did not\n         accurately reflect the actual environment in which the system operated; and,\n     a   At five of the six sites reviewed, contingency plans had not been developed for\n         national security infonnation systems - a critical activity required to mitigate the\n         risk of service disruption.\nSeveral problems contributed to the weaknesses identified during our review. In\nparticular, the Department had not yet fully developed and implemented adequate cyber\nsecurity policies to ensure that national security infonnation systems were adequately\nprotected. In addition, Federal and contractor officials did not always utilize effective\nmechanisms to monitor performance of security controls. Without inlprovements, the\nDepartment lacks assurance that its classified data and systems are secure from numerous\nthreats and vulnerabilities. The issues identified during our review were similar to those\nthat contributed to an environment in which the theft of classified information at the Los\nAlamos National Laboratory occurred in 2006. In our judgment, the findings in the\nattached report suggests that the Department could be at risk for similar diversions.\nWe noted that the Department had initiated a wide range of actions to address cyber\nsecurity weaknesses. For example, in response to our Special Inquiry on Selected\nC\'ontrols over CTlus.sified67fi,rmution at the Los Alarnos Nation~llLuhorcrtory, the Deputy\nSecretary required each site to conduct a thorough examination of the adequacy of its\npractices and procedures to ensure that classified information was protected. In addition,\nthe Department updated its Nutionul S"krity Sy.stern Munuul in March 2007 to further\nenhance its cyber protective requirements. While these were positive steps, they have\nnot, as evidenced by the findings described in our report, adequately resolved weaknesses\nin controls over national security information systems. In that light, we made several\nrecommendations designed to further enhance security over the Department\'s national\nsecurity information systems.\nDue to security considerations, specific information regarding the locations and systems\nreviewed has been omitted from this report and supplied to Department officials directly.\nMANAGEMENT REACTION\nManagement concurred with two of the report\'s four recomnlendations and pledged to\ntake needed corrective actions. In response to management\'s comments and additional\ntechnical data provided by program officials. we clarified the intent of the two\nrecommendations with which management disagreed. In separate comments, the NNSA\nagreed with the information contained in the report and concurred with each of the NNSA\nspecific recommendations. Management\'s comments are included in Appendix 3.\nAttachment\n\ncc: Acting Deputy Secretary\n    Under Secretary of Energy\n    lJnder Secretary for Science\n    Administrator, National Nuclear Security Administration\n    Chief of Staff\n\x0cREPORT ON CERTIFICATION AND ACCREDITATION OF THE\nDEPARTMENT\'S NATIONAL SECURITY INFORMATION\nSYSTEMS\n\n\nTABLE OF\nCONTENTS\n\n\n    Protection of National Security Information Systems\n\n    Details of Finding ..........................................................................................................1\n\n    Recommendations .........................................................................................................7\n\n    Comments .....................................................................................................................8\n\n\n    Appendices\n\n    1. Objective, Scope, and Methodology........................................................................9\n\n    2. Prior Reports ..........................................................................................................11\n\n    3. Management Comments ........................................................................................12\n\x0cProtection of National Security Information Systems\n\nEnsuring Security     Our audit focused on the certification and accreditation\nOver Classified       (C&A) of national security information systems and\nInformation Systems   included the review of 65 systems at six of the Department\n                      of Energy\'s (Department) major sites. These systems were\n                      managed by various elements of the Department, including\n                      the National Nuclear Security Administration (NNSA), the\n                      Office of Environmental Management (EM) and the Office\n                      of Science (Science).\n\n                      Our review of these systems disclosed that many of them\n                      were not appropriately certified and accredited for\n                      operation. In particular, organizations did not always\n                      identify and/or address risks to systems to ensure that\n                      mitigating controls were in place. In a number of instances,\n                      system security plans reviewed were not appropriately\n                      accredited, changes were not approved, or the plans did not\n                      accurately describe the respective systems. In addition,\n                      sites had not developed and implemented contingency\n                      plans for national security information systems.\n                                             System Risks\n                      Responsible officials had not ensured that system-specific\n                      risks, such as those that could allow unauthorized access or\n                      release of classified information, were addressed in system\n                      security plans. In particular:\n                         \xe2\x80\xa2   Although prohibited by Department policies,\n                             Information System Security Officers \xe2\x80\x93 those\n                             individuals responsible for ensuring security of an\n                             information system \xe2\x80\x93 were inappropriately granted\n                             system administrator access for 31 of the 56\n                             systems reviewed at 5 sites. Officials at two NNSA\n                             sites informed us that this situation also existed for\n                             many of their systems not selected for our review.\n                             As disclosed in our Special Inquiry on Selected\n                             Controls over Classified Information at the Los\n                             Alamos National Laboratory, inadequate separation\n                             of duties can, as a practical matter, allow\n                             individuals to supervise and approve their own\n                             work. Despite this risk, the lack of separation of\n                             duties and needed mitigating controls were not\n                             addressed in system security plans.\n                         \xe2\x80\xa2   While we observed the existence of unclassified and\n                             national security information systems operating in\n                             the same environment at certain locations, risks\n\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0c                             associated with mixed-media environments were\n                             not always documented in the system security plans.\n                             This risk \xe2\x80\x93 exacerbated by the lack of segregation of\n                             duties \xe2\x80\x93 could permit the transfer of classified\n                             information to unclassified systems. Absent\n                             documentation of this risk, the Federal official\n                             responsible for approving operation of the systems\n                             may not have been aware of all potential\n                             vulnerabilities.\n\n                         \xe2\x80\xa2   Risks related to weak methods for implementing\n                             passwords on national security information systems\n                             at one NNSA site were not documented. Even\n                             though the Department directs that computer-\n                             generated passwords be used on national security\n                             information systems, users were permitted to\n                             manually change passwords outside of automated\n                             password controls without checks being performed\n                             to ensure the strength of the password or\n                             compliance with requirements. Officials at the site\n                             did not document this weakness in the security\n                             plans because they did not believe it to be a security\n                             risk even though the practice was specifically\n                             prohibited by the Department. Guidance issued by\n                             the National Institute of Standards and Technology\n                             (NIST) also stresses that user-created passwords are\n                             more vulnerable to compromise.\n\n                                           Security Planning\n\n                      Designated Approving Authorities (DAA) did not always\n                      validate and approve system plans or related modifications\n                      to plans even though significant and unique security risks\n                      existed. In particular, approvals of system security plans\n                      were at too high a level and did not consider all variations\n                      of system risks. At one NNSA site, the DAA approved an\n                      overarching master security plan and one related sub-plan.\n                      However, he did not specifically approve the remaining 22\n                      sub-plans even though significant differences existed\n                      between them. Rather than provide explicit approval, the\n                      DAA relied on contractor officials to certify plans for\n                      systems ranging from supercomputers and classified\n                      networks to individual computers used to move files\n                      between classified and unclassified systems. Although\n                      Department directives permit the use of this master plan\n                      approach, the operating environments of the systems should\n________________________________________________________________\nPage 2                                            Details of Finding\n\x0c                      be similar. In this instance, the DAA could not ensure that\n                      all risks to the systems were either addressed through\n                      mitigating controls or accepted as a residual risk.\n\n                      System security plans also did not always accurately reflect\n                      system accreditation boundaries in that they did not contain\n                      accurate inventories of hardware associated with the\n                      system. For instance, a system observed at one NNSA site\n                      contained ten servers even though none were explicitly\n                      approved for operation in the security plan. In addition,\n                      security plans at other NNSA, EM, and Science sites did\n                      not always contain accurate inventories, in that they\n                      excluded items such as Universal Serial Bus (USB)\n                      scanners, a camera, and network and desktop printers. In\n                      most cases, the DAA did not approve these changes to\n                      information systems even though the addition of certain of\n                      those devices may have created additional security risks.\n                      These issues are similar to weaknesses previously reported\n                      in our Special Inquiry on Selected Controls over Classified\n                      Information at the Los Alamos National Laboratory, which\n                      disclosed that omitting equipment from plans prevented\n                      security officials from evaluating the impact of these\n                      changes and may have contributed to an environment in\n                      which the theft of classified information occurred. As\n                      noted by NIST, accurate inventories are a key initial step in\n                      determining what system elements are exposed to security\n                      risks.\n\n                                         Contingency Planning\n\n                      In spite of Federal and Departmental requirements to\n                      ensure that information systems and data can be recovered\n                      in the event of a disaster, five sites had not appropriately\n                      developed and implemented contingency plans for their\n                      national security information systems. Although\n                      requirements issued jointly by the NNSA and the\n                      Department\'s Chief Information Officer (CIO) mandated\n                      that at least 80 percent of information systems have a\n                      documented and tested contingency plan in place by July\n                      2005, we found that sites had developed such plans for only\n                      19 of 65 (29%) systems reviewed. Sites had not developed\n                      contingency plans for systems such as classified computing\n                      networks utilized by hundreds of users, or for various\n                      research systems supporting the Department\'s national\n                      security mission. In addition, many of the systems without\n                      contingency plans did not require data backups or the\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                      backups were maintained in the same building as the\n                      original data \xe2\x80\x93 sometimes even in the same room. Some\n                      sites also had either not fully identified mission-critical\n                      systems or had not prioritized their recovery in the event of\n                      a disaster. As stressed by NIST, the ability to successfully\n                      implement contingency planning is essential to mitigating\n                      the risk of system and service unavailability. Notably, one\n                      NNSA laboratory had established contingency plans for\n                      each of the systems that had been included in our review.\n\nSecurity Policy and   We identified several problems that contributed,\nProgram Monitoring    in part, to the weaknesses in the Department\'s certification\n                      and accreditation (C&A) process. In particular, policies\n                      and guidance did not always clearly define C&A\n                      requirements. However, even when policies were\n                      developed, facilities often had not implemented the\n                      required controls. In addition, performance monitoring by\n                      Headquarters and site officials was not adequate to ensure\n                      that requirements were met. Further, we found that similar\n                      problems disclosed in reports authored by the Department\'s\n                      Office of Health, Safety and Security had not been totally\n                      resolved.\n\n                                         Cyber Security Policy\n\n                      Headquarters programs and sites reviewed had not fully\n                      developed and implemented cyber security policies to\n                      ensure that national security information systems were\n                      adequately protected. In particular, policies and guidance\n                      issued by the Department did not always clearly define\n                      C&A requirements. For instance, our analysis showed that\n                      significant security changes were inappropriately made to\n                      systems due to the lack of guidance or direction as to what\n                      changes required approval by the DAA. Incomplete\n                      guidance for contingency planning allowed many sites to\n                      limit their disaster recovery efforts for national security\n                      information systems. Although the Department updated its\n                      National Security System Manual, DOE Manual 205.1-4,\n                      and required that additional controls be incorporated into\n                      Program Cyber Security Plans (PCSP), officials from\n                      Headquarters and sites commented that the new mandates\n                      were vague and could not be effectively implemented.\n\n                      PCSPs were not always updated to reflect the Department\'s\n                      new requirements for protecting national security\n                      information systems and/or had not been implemented by\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                                    field sites. Specifically, although the Department required\n                                    implementation of its updated National Security System\n                                    Manual by July 2007, the NNSA still had not updated its\n                                    PCSP to include additional requirements. As a result of\n                                    this delay, NNSA sites that were required to follow the\n                                    PCSP continued to implement outdated requirements for\n                                    protecting national security information systems. For\n                                    example, 18 systems at one NNSA site were re-accredited\n                                    since the new manual was issued. However, none of the\n                                    security plans required updated controls such as\n                                    segregation of duties and two-factor authentication1 for\n                                    system access. Officials at this site commented that\n                                    updated controls would not be implemented until re-\n                                    accreditation of a system, which would not occur for up to\n                                    three years. Similarly, none of the 10 networks, and nearly\n                                    300 workstations accredited at another NNSA site since the\n                                    new manual was issued, were required to comply with the\n                                    new mandates. Subsequent to our field site reviews, the\n                                    NNSA issued an updated PCSP to incorporate new\n                                    requirements for securing national security information\n                                    systems. If fully implemented, this plan should help\n                                    address a number of weaknesses identified in our report.\n\n                                    Even when PCSPs were developed by Headquarters\n                                    programs, sites reviewed had not implemented the controls\n                                    required by the plans. Specifically, none of the systems\n                                    accredited at three Science, EM, and Office of Nuclear\n                                    Energy sites after the issuance of updated PCSPs were\n                                    completed in accordance with the new requirements. In\n                                    one case, officials at a Science site acknowledged that the\n                                    lack of separation of duties nullified a number of other\n                                    security controls, including the ability to protect USB ports\n                                    on classified systems. To its credit, this site developed a\n                                    gap analysis describing weaknesses in controls over\n                                    national security information systems and initiated the\n                                    process to correct them. By failing to comply with their\n                                    respective PCSPs, sites had not always implemented\n                                    additional controls designed to enhance security over\n                                    information systems.\n\n                                    Sites reviewed also had not updated local cyber security\n                                    policies or developed transition plans to ensure that new\n\n1\n  Two-factor authentication requires two independent ways to establish identity and privileges, such as both\na physical device and a password, while traditional password authentication only requires knowledge of a\npassword to gain access to a system.\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0c                      Department requirements were met. Specifically, several\n                      sites reviewed had not developed Cyber Security Program\n                      Plans (CSPP) \xe2\x80\x93 site-level policies and procedures designed\n                      to ensure effective security controls are implemented \xe2\x80\x93 that\n                      included controls in the new National Security System\n                      Manual. At two NNSA sites, the CSPPs were updated\n                      more than six months after the issuance of the new manual,\n                      but still did not include new requirements even though they\n                      were required by the site contracts. In addition, five sites\n                      had either not determined what new requirements should be\n                      implemented or had not established a transition plan to\n                      meet those requirements.\n\n                                       Performance Monitoring\n                      Headquarters and field site officials did not always\n                      implement effective mechanisms to ensure adequate C&A\n                      of national security information systems. Although NNSA\n                      Headquarters officials conducted an assessment of\n                      classified cyber security at two of the sites reviewed, the\n                      sites were not informed of the results and therefore could\n                      not develop corrective action plans to address identified\n                      weaknesses. Timely and effective evaluations may have\n                      identified many of the weaknesses noted during our review\n                      and permitted the initiation of corrective actions.\n                      We also noted that assessments conducted by site-level\n                      officials were not always effective or were not performed.\n                      For instance, although one NNSA site office completed an\n                      evaluation of its laboratory\'s cyber security program in\n                      Fiscal Year 2007, it did not identify or track corrective\n                      actions for weaknesses such as inadequate separation of\n                      duties or incomplete inventories of equipment in system\n                      security plans. In addition, the DAA at another site office\n                      commented that he was unable to conduct effective surveys\n                      in the past year due to a lack of resources. We also found\n                      weaknesses in the contractors\' self-assessment processes at\n                      four sites, including untimely assessments and inadequate\n                      separation between those responsible for testing and\n                      implementing controls.\n                      Finally, even though sites and Headquarters officials\n                      became aware of similar weaknesses through evaluations\n                      conducted by the Department\'s Office of Health, Safety and\n                      Security, they had not always taken appropriate action to\n                      remediate such vulnerabilities.\n\n________________________________________________________________\nPage 6                                            Details of Finding\n\x0cInformation Security   Without improvements, the Department lacks assurance\nand Assurance          that its national security information systems are secure\n                       from both internal and external threats. As noted in our\n                       Special Inquiry on Selected Controls over Classified\n                       Information at the Los Alamos National Laboratory, the\n                       lack of separation of duties, if exploited, can result in the\n                       unauthorized exfiltration of classified information to the\n                       detriment of national security. Similarly, these conditions\n                       could permit the introduction of unauthorized peripheral\n                       devices. As a demonstration of the harm that can be caused\n                       by unapproved devices, we specifically identified an\n                       unapproved network device during our previous review at\n                       the Los Alamos National Laboratory that may have\n                       contributed to a significant theft of classified information.\n                       In addition, the failure to develop and test contingency\n                       plans limits the Department\'s assurance that it will be able\n                       to restore critical operations in a timely manner in the event\n                       of a disaster.\nRECOMMENDATIONS        To address the issues identified in this report and improve\n                       controls over national security information systems, we\n                       recommend that the Department and NNSA CIOs, in\n                       coordination with the Under Secretary of Energy and the\n                       Under Secretary for Science, as appropriate:\n                            1. Ensure that Department policies are updated to\n                               reflect current requirements for securing national\n                               security information systems.\n                       We further recommend that the Administrator, NNSA, the\n                       Under Secretary of Energy, and the Under Secretary for\n                       Science:\n                            2. Ensure that current PCSPs are utilized for all\n                               future system C&As; and,\n                            3. Prioritize and immediately implement high-risk\n                               security controls, such as segregation of duties\n                               and two-factor authentication, to protect the\n                               Department\'s classified information and systems.\n                       We also recommend that the Administrator, NNSA:\n                            4. Enhance performance monitoring and oversight\n                               activities at Headquarters and field sites to ensure\n                               effective C&A of national security information\n                               systems.\n\n\n\n________________________________________________________________\nPage 7                              Recommendations and Comments\n\x0cMANAGEMENT           Management concurred with recommendations one and\nREACTION             three. Specifically, management indicated that steps will\n                     be taken to update existing security policies and to\n                     implement high-risk controls over national security\n                     information systems. Based on management\'s comments\n                     and additional technical information provided by program\n                     officials, we modified recommendation two in our draft\n                     report to recognize that each of the program\'s PCSPs had\n                     now been updated to reflect requirements in the\n                     Department\'s new National Security System Manual. The\n                     updated PCSPs, as the modified recommendation indicates,\n                     should be used for weaknesses in the NNSA\'s performance\n                     monitoring and oversight process. Recommendation four\n                     was also modified to focus solely on weaknesses in\n                     NNSA\'s performance monitoring and oversight process. In\n                     separate comments, the NNSA agreed with the information\n                     contained in the report and concurred with each of the\n                     specific recommendations. The NNSA disclosed that it\n                     recently updated its cyber security policies and is working\n                     to implement the recommendations contained in the report.\n\nAUDITOR              Management\'s comments are generally responsive to our\nCOMMENTS             recommendations. We continue to recommend that the\n                     Department\'s programs utilize their updated PCSPs when\n                     conducting future C&A activities for national security\n                     information systems because weaknesses in this area\n                     directly contributed to problems with implementing\n                     protective controls. Additional action is also needed to\n                     enhance the NNSA\'s performance monitoring process over\n                     its national security information systems. Management\'s\n                     comments are included in their entirety in Appendix 3.\n\n\n\n\n________________________________________________________________\nPage 8                                                 Comments\n\x0cAppendix 1\n\nOBJECTIVE             The objective of this audit was to determine whether the\n                      Department of Energy\'s (Department) national security\n                      information systems have been appropriately certified and\n                      accredited for operation.\n\nSCOPE                 The audit was performed between October 2007 and May\n                      2008 at Department Headquarters in Washington, DC, and\n                      Germantown, Maryland, and five field sites \xe2\x80\x93 three\n                      managed by the National Nuclear Security Administration\n                      (NNSA), one managed by the Office of Environmental\n                      Management, and one managed by the Office of Science\n                      (Science). We also obtained information from an Office of\n                      Nuclear Energy site not visited.\n\nMETHODOLOGY           To accomplish our objective, we:\n\n                         \xe2\x80\xa2   Reviewed Federal regulations and Departmental\n                             directives and guidance pertaining to certification\n                             and accreditation (C&A) of national security\n                             information systems;\n\n                         \xe2\x80\xa2   Reviewed prior reports issued by the Office of\n                             Inspector General and the Department\'s Office of\n                             Health, Safety and Security;\n\n                         \xe2\x80\xa2   Reviewed program and site level policies relevant\n                             to C&A of national security information systems;\n\n                         \xe2\x80\xa2   Held discussions with program officials from\n                             Department Headquarters and sites reviewed,\n                             including representatives from the Office of Chief\n                             Information Officer (OCIO), Science, and the\n                             Under Secretary of Energy, as well as the NNSA;\n                             and,\n\n                         \xe2\x80\xa2   Judgmentally selected a sample of 65 system\n                             security plans for review to determine whether\n                             relevant C&A requirements had been implemented.\n\n                      The audit was conducted in accordance with generally\n                      accepted Government auditing standards for performance\n                      audits and included tests of internal controls and\n                      compliance with laws and regulations to the extent\n                      necessary to satisfy the audit objective. Accordingly, we\n\n\n\n\n________________________________________________________________\nPage 9                             Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                      assessed internal controls regarding the C&A of national\n                      security information systems across the Department.\n                      Because our review was limited, it would not necessarily\n                      have disclosed all internal control deficiencies that may\n                      have existed at the time of our audit. We also assessed\n                      performance measures in accordance with the Government\n                      Performance and Results Act of 1993 relevant to C&A of\n                      national security information systems. We found that two\n                      of the six field sites reviewed had established limited\n                      measures specific to this area. We did not rely on\n                      computer-processed data to satisfy our audit objective.\n                      Officials from the Office of the Chief Information Officer\n                      and the NNSA waived an exit conference.\n\n\n\n\n________________________________________________________________\nPage 10                            Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                     APPENDIX 2\n\n             PRIOR OFFICE OF INSPECTOR GENERAL REPORTS\n\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Special Report on Management Challenges at the Department of Energy\n       (DOE/IG-0782, December 2007). The Office of Inspector General (OIG)\n       identified seven significant management challenges facing the Department of\n       Energy (Department), including cyber security. The report noted that although\n       the Department had in place an aggressive effort to address existing weaknesses,\n       we continued to identify deficiencies, including problems relevant to the\n       Department\'s certification and accreditation of unclassified information systems.\n\n   \xe2\x80\xa2   Audit Report on Certification and Accreditation of Unclassified Information\n       Systems (DOE/IG-0752, January 2007). Many systems were not properly\n       certified and accredited prior to becoming operational. For example, 9 of 14 sites\n       reviewed had not always properly categorized security levels or risk of damage to\n       systems and information contained within, or had not adequately tested and\n       evaluated security controls. In many instances, senior agency officials accredited\n       systems even though required documentation was inadequate or incomplete, such\n       as incomplete inventories of software and hardware included within defined\n       accreditation boundaries. In addition, the Office of the Chief Information Officer\n       and other program organizations did not adequately review completed activities\n       for quality or compliance with requirements.\n\n   \xe2\x80\xa2   Special Inquiry on Selected Controls over Classified Information at the Los\n       Alamos National Laboratory (OAS-SR-07-01, November 2006). We found that\n       the security framework at the Laboratory was seriously flawed. For instance,\n       security policy in a number of key areas was non-existent, applied inconsistently,\n       or not followed. In addition, monitoring by both Laboratory and Federal officials\n       was inadequate; critical security functions were not adequately segregated; and\n       physical verification of the accuracy of security plans by Federal and Laboratory\n       officials was not performed.\n\n   \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program -\n       2007 (DOE/IG-0776, September 2007). The evaluation identified continued\n       deficiencies in the Department\'s cyber security program that exposed its critical\n       systems to an increased risk of compromise. In particular, weaknesses existed\n       relevant to system certification and accreditation, contingency planning, access\n       controls, configuration management, and change controls. Problems occurred, at\n       least in part, because Department organizations had not always ensured that\n       Department policies, and cyber security controls were adequately implemented\n       and conformed to Federal requirements.\n\n\n\n________________________________________________________________\nPage 11                                              Prior Reports\n\x0cAppendix 3\n\n\n\n\n________________________________________________________________\nPage 12                                     Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 13                                     Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 14                                     Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 15                                     Management Comments\n\x0c                                                             IG Report No. DOE/IG-0800\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'